"Daniel Richard G." <sk...@iskunk.org> writes: > Thought about the upgrade process a bit. How about this:
> 1. kerberos-configs starts generating new krb5.conf files with > minimum_uid=1000. Then a little later... > 2. libpam-krb5 has minimum_uid removed from pam-configs/krb5. On > upgrade, it checks to see if this is in krb5.conf. If yes, great. If no, > then copy pam-configs/krb5 to e.g. krb5_old, have pam-auth-update use > that instead of the new krb5 profile, and show a warning to the user. > The user can dismiss the warning, and nothing changes for him/her. > krb5_old sticks around as a conffile (removed if package is purged, but > otherwise remains untouched by future upgrades), and the regular krb5 > profile doesn't have to be hobbled by backward-compatibility measures. The input files to pam-auth-update aren't configuration files, so this would need to change somewhat, but I think I can see how to do something like this. Basically, libpam-krb5 would ship two different krb5 PAM profiles and select between them based on whether or not krb5.conf had a minimum_uid setting. However, so far as I can tell, there's no way to do this right now in the existing pam-auth-update system. The package doesn't tell pam-auth-update which profile to add. It just configures all of them. So the user would keep having to select between krb5 and krb5-old (or whatever) without knowing which one too chose, and they'd conflict with each other which would make everything more complicated. Steve, if you're still following this bug report, do you have any feelings about how we should handle this? My primary concern is ending up with only ignore_root and not minimum_uid and hence opening a possible security vulnerability wherein one could authenticate as a Kerberos principal named daemon, etc., and log on to a system account. Fixing Debian Bug#330882 (and in general not creating real shells for system users) would remove a lot of my concern. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
